No we dont have ise.

its a plane Controller 2504

In that case you have to use the internal profiling of the WLC which is available since software version 8.x. Based on the profiling information you can apply an ACL in which you simply deny all traffic. Keep in mind that if your end-users don't know about this policy this might frustrate them and they might try to connect anyway. This can result in a lot of clients continuously trying to connected which can harm the quality for your RF.

Configure local profiling

1. Security -> Access Control Lists -> Access Control Lists -> "New" and name the access-list "Acl-DenyAll". Click on it, an add a new rule with sequence 1 in which you deny everything.

2. Security -> Local Policies -> "New" and name the policy "BlockApple". Now you can configure the policy. Add "Apple-iPhone" from the drop down device list under the matching criteria. Select the new created ACL as action and click on "Apply".

3. WLANs -> your WLAN ID -> Policy-Mapping tab and select as priority Index number 1 with "BlockApple" as Local Policy. Click on Add and Apply.

Make sure that DHCP and HTTP profiling are enabled on the advanced tab of your WLAN so that the smartphones an be identified.

Please rate useful posts... :-)

The issue also is that profiling isn't 100%.  Rooted and Jail Broken phones can get around this.  The best way is to look at your security your using in the WLAN. If you use 802.1x, then either use machine authentication or EAP-TLS. This way no other device can join.  If you allow non domain machines or have one off devices like MacBooks, etc, well then it makes it hard to do what you want with 100% accuracy because of the one off.

-Scott

*** Please rate helpful posts ***

Hi Freerk,

Thanks for the reply,

what i understand after googling that we can allow the ios (Windows,Apple) to connect the ssid but we can't block the ios (Apple/Android/ipad)

Can you please suggest...

Hello Freerk,

i had tried above option but still devices getting connected.

Please help me out here

Thanks In advance

Are devices being correctly profiled and is your local profile being applied to those clients? You can check this on the client detail information. Keep in mind: this only prohibit clients to send traffic, they can still associated and authenticate. If you want to do this properly you have to go with the way Scott described which means a dot1x implementation.